Let's say you're using Piwik through "WP-Piwik" on Wordpress, and your Wordpress website gets compromised... I would expect then to need to change the piwik tokens just in case the attackers got a hold of them.
From what I see in the Admin > Users area in piwik, there is no way to generate a new token for a user. There should be.
There would be a way via the
UsersManager.regenerateTokenAuth API. Apart from this, could you log in as the user and regenerate the token in the UI?
Apart from this, could you log in as the user and regenerate the token in the UI?
Well that's exactly what I tried doing, but there seems to be no button or editable field for this in "Admin > Users"... hence my bug report :)
When you are logged in, you should be able to do this in "Personal Settings". You need to be logged in as the user you want to reset
?module=UsersManager&action=userSettings ? I don't see this at all, nor in
?module=API&action=listAllAPI (that 2nd page shows the token but doesn't allow changing it), nor in
?module=UsersManager&action=index... I can't find such a reset feature for my user, anywhere... I must be missing something obvious? I tried this on 2.16.x
Ah sorry, I assumed you are on Piwik 3.
In Piwik 2 a workaround is to change the password and a new token will be generated.
...oh! I see. But then this prompts a security question, if you don't mind: I see now that the auth token indeed gets changed if you change to a different passphrase, however if you change the passphrase back to what it was, the auth token changes back to the previous one... which indicates that it actually is only a MD5 hash of the password. Uh oh.
Could you tell me if this has changed in 3.x, if the token auth is actually decoupled from the user's passphrase, or if it's still a hash of it? Because if it's still strongly associated with the password, it would seem to me like a vulnerability?
Yes, this was changed in Piwik 3